Time to Leave the Theater; Lessons from the Sony Hack

Don’t get me wrong – Bruce Schneier is brilliant. He’s often a lonely advocate for meaningful security and he even invented one of our favorite phrases “Security Theater” which can be used to describe most of the established approaches to online security.

The danger of security theater is that it lulls people into a false sense of security if they believe what they see in the theater. This is exactly what email security has been to date.

Security has focused the networks on which we read our email, and the authentication we use to login ourselves in, but has done little to secure the messages themselves. The most important lesson from the Sony hack is the easiest one to address and that lesson is: network security is a joke in the face of targeted hacks especially when it comes to email.

“The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations — gossip, medical conditions, love lives — exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.”

Yes, this is the core of the problem for Sony. Lives have been ruined by the leak of candid, personal conversations by employees. “Hundreds of personal tragedies” are unfolding right now because we’ve blindly trusted ineffective email security. Schneier gets that this is the real threat, but then he muddles the message by failing to understand that email doesn’t have to be this insecure:

“We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.”

What he’s missing is that we do have choice. We can use GMail and Google Docs while still preserving our privacy. Documents and emails can be encrypted in the browser before they are sent to company email servers or cloud-based email services, and keys can be stored by secured third-parties. It suggests that Schneier buys into this false compromise of greater convenience for lesser security that we’ve been working to solve.

Virtru secures data in the cloud and at rest on company servers. If Sony had used Virtru to send secure messages, across their organization, they could have revoked global access to all messages and attachments. They could have just expired everything and limited the scope of the damages, and this news story wouldn’t have happened. Sony could have offered free exchange information by email, without losing security and control of their content.

Schneier’s attitude in his piece is alarming because it ignores the fundamental lesson – we need to stop securing our networks and start securing our data. The real lesson of the Sony hack is that network-centric security is theater — it secures nothing at all. It doesn’t secure your business in an age where data can be downloaded by the terabyte. And it won’t prevent bad actors from rifling through your entire email history.

This could happen to any company, and it is almost certain that it won’t be long until some other company’s secrets are laid bare for the world to see.

For those ready to leave the theater and take real action and prevent the next disaster, Virtru is here.

All you have to do is install our simple plug-in and you can encrypt email and protect content on demand. If you ever need to take something back, just click the revoke button. And it works with your existing email account.